Mercurial > hg > nginx
comparison src/http/modules/ngx_http_proxy_module.c @ 5659:3fb6615bb87f
Upstream: plugged potential memory leak on reload.
The SSL_CTX_set_cipher_list() may fail if there are no valid ciphers
specified in proxy_ssl_ciphers / uwsgi_ssl_ciphers, resulting in
SSL context leak.
In theory, ngx_pool_cleanup_add() may fail too, but this case is
intentionally left out for now as it's almost impossible and proper fix
will require changes to http ssl and mail ssl code as well.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Fri, 18 Apr 2014 20:13:24 +0400 |
parents | d15822784cf9 |
children | 7022564a9e0e |
comparison
equal
deleted
inserted
replaced
5658:94ae92776441 | 5659:3fb6615bb87f |
---|---|
3772 != NGX_OK) | 3772 != NGX_OK) |
3773 { | 3773 { |
3774 return NGX_ERROR; | 3774 return NGX_ERROR; |
3775 } | 3775 } |
3776 | 3776 |
3777 cln = ngx_pool_cleanup_add(cf->pool, 0); | |
3778 if (cln == NULL) { | |
3779 return NGX_ERROR; | |
3780 } | |
3781 | |
3782 cln->handler = ngx_ssl_cleanup_ctx; | |
3783 cln->data = plcf->upstream.ssl; | |
3784 | |
3777 if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx, | 3785 if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx, |
3778 (const char *) plcf->ssl_ciphers.data) | 3786 (const char *) plcf->ssl_ciphers.data) |
3779 == 0) | 3787 == 0) |
3780 { | 3788 { |
3781 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, | 3789 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
3782 "SSL_CTX_set_cipher_list(\"%V\") failed", | 3790 "SSL_CTX_set_cipher_list(\"%V\") failed", |
3783 &plcf->ssl_ciphers); | 3791 &plcf->ssl_ciphers); |
3784 return NGX_ERROR; | 3792 return NGX_ERROR; |
3785 } | 3793 } |
3786 | 3794 |
3787 cln = ngx_pool_cleanup_add(cf->pool, 0); | |
3788 if (cln == NULL) { | |
3789 return NGX_ERROR; | |
3790 } | |
3791 | |
3792 cln->handler = ngx_ssl_cleanup_ctx; | |
3793 cln->data = plcf->upstream.ssl; | |
3794 | |
3795 return NGX_OK; | 3795 return NGX_OK; |
3796 } | 3796 } |
3797 | 3797 |
3798 #endif | 3798 #endif |
3799 | 3799 |